Details of VAR-202001-1230

ID

VAR-202001-1230

CVE

CVE-2014-1924

TITLE

Koha In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-008839

DESCRIPTION

The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. Koha In SQL An injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Koha is prone to the following security vulnerabilities: 1. An arbitrary file-access vulnerability 2. A directory-traversal vulnerability 3. An arbitrary file-write vulnerability 4. An SQL-injection vulnerability An attacker may leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, read or write arbitrary files from the web server, and potentially obtain sensitive information on the affected application. This may aid in further attacks

Trust: 1.89

sources: NVD: CVE-2014-1924 // JVNDB: JVNDB-2014-008839 // BID: 65448

AFFECTED PRODUCTS

vendor:	koha	model:	koha	scope:	lt	version:	3.08.23	Trust: 1.0
vendor:	koha	model:	koha	scope:	lt	version:	3.12.10	Trust: 1.0
vendor:	koha	model:	koha	scope:	gte	version:	3.10.00	Trust: 1.0
vendor:	koha	model:	koha	scope:	gte	version:	3.14.00	Trust: 1.0
vendor:	koha	model:	koha	scope:	gte	version:	3.12.00	Trust: 1.0
vendor:	koha	model:	koha	scope:	lt	version:	3.14.03	Trust: 1.0
vendor:	koha	model:	koha	scope:	lt	version:	3.10.13	Trust: 1.0
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.8.22	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.14.2	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.12.9	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.10.12	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.8.23	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.14.3	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.12.10	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.10.13	Trust: 0.3

sources: BID: 65448 // NVD: CVE-2014-1924

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1924
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2014-1924
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202001-1090
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2014-1924
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2014-1924
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2014-1924
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2014-008839 // CNNVD: CNNVD-202001-1090 // NVD: CVE-2014-1924

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2014-008839 // NVD: CVE-2014-1924

THREAT TYPE

network

Trust: 0.3

sources: BID: 65448

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202001-1090

PATCH

title:	Bug 11666 Koha	url:	https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666	Trust: 0.8
title:	Koha SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112801	Trust: 0.6

sources: JVNDB: JVNDB-2014-008839 // CNNVD: CNNVD-202001-1090

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1924	Trust: 2.7
db:	OPENWALL	id:	OSS-SECURITY/2014/02/07/10	Trust: 1.6
db:	OPENWALL	id:	OSS-SECURITY/2014/02/10/3	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-008839	Trust: 0.8
db:	CNNVD	id:	CNNVD-202001-1090	Trust: 0.6
db:	BID	id:	65448	Trust: 0.3

sources: BID: 65448 // JVNDB: JVNDB-2014-008839 // CNNVD: CNNVD-202001-1090 // NVD: CVE-2014-1924

REFERENCES

url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666	Trust: 1.9
url:	http://koha-community.org/security-release-february-2014/	Trust: 1.9
url:	http://www.openwall.com/lists/oss-security/2014/02/07/10	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2014/02/10/3	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2014-1924	Trust: 1.4
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11662	Trust: 0.3
url:	http://koha-community.org/	Trust: 0.3

sources: BID: 65448 // JVNDB: JVNDB-2014-008839 // CNNVD: CNNVD-202001-1090 // NVD: CVE-2014-1924

CREDITS

Chris Cormack, Galen Charlton, and John Lightsey

Trust: 0.3

sources: BID: 65448

SOURCES

db:	BID	id:	65448
db:	JVNDB	id:	JVNDB-2014-008839
db:	CNNVD	id:	CNNVD-202001-1090
db:	NVD	id:	CVE-2014-1924

LAST UPDATE DATE

2024-11-23T22:16:39.958000+00:00

SOURCES UPDATE DATE

db:	BID	id:	65448	date:	2014-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-008839	date:	2020-02-13T00:00:00
db:	CNNVD	id:	CNNVD-202001-1090	date:	2021-01-04T00:00:00
db:	NVD	id:	CVE-2014-1924	date:	2024-11-21T02:05:17.070

SOURCES RELEASE DATE

db:	BID	id:	65448	date:	2014-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-008839	date:	2020-02-13T00:00:00
db:	CNNVD	id:	CNNVD-202001-1090	date:	2020-01-24T00:00:00
db:	NVD	id:	CVE-2014-1924	date:	2020-01-24T17:15:12.327